@kody-ade/kody-engine 0.4.123 → 0.4.124

package/dist/bin/kody.js

@@ -880,7 +880,7 @@ var init_loadPriorArt = __esm({
 // package.json
 var package_default = {
   name: "@kody-ade/kody-engine",
-  version: "0.4.123",
+  version: "0.4.124",
   description: "kody \u2014 autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   license: "MIT",
   type: "module",
@@ -8540,107 +8540,6 @@ init_loadPriorArt();
 import * as fs34 from "fs";
 import * as path33 from "path";
 
-// src/pool/keys.ts
-import { hkdfSync } from "crypto";
-var POOL_API_KEY_INFO = "kody-pool-api:v1";
-var RUNNER_API_KEY_INFO = "kody-runner-api:v1";
-function masterKeyBytes(raw) {
-  const v = raw.trim();
-  if (!v) throw new Error("KODY_MASTER_KEY is empty");
-  if (/^[0-9a-fA-F]+$/.test(v) && v.length === 64) {
-    return Buffer.from(v, "hex");
-  }
-  return Buffer.from(v.replace(/-/g, "+").replace(/_/g, "/"), "base64");
-}
-function deriveKey(master, info, length = 32) {
-  return Buffer.from(hkdfSync("sha256", master, Buffer.alloc(0), info, length)).toString("hex");
-}
-function derivePoolApiKey(master) {
-  return deriveKey(master, POOL_API_KEY_INFO);
-}
-function deriveRunnerApiKey(master) {
-  return deriveKey(master, RUNNER_API_KEY_INFO);
-}
-function bearerOk(headerAuth, xApiKey, expected) {
-  const x = (xApiKey ?? "").trim();
-  if (x && timingEqual(x, expected)) return true;
-  const a = (headerAuth ?? "").trim();
-  if (a.toLowerCase().startsWith("bearer ")) {
-    return timingEqual(a.slice(7).trim(), expected);
-  }
-  return false;
-}
-function timingEqual(a, b) {
-  if (a.length !== b.length) return false;
-  let diff = 0;
-  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
-  return diff === 0;
-}
-
-// src/pool/vault.ts
-import { createDecipheriv } from "crypto";
-var GITHUB_API = "https://api.github.com";
-var VAULT_PATH = ".kody/secrets.enc";
-var CACHE_TTL_MS = 6e4;
-var cache = /* @__PURE__ */ new Map();
-function decryptVault(payload, masterKey) {
-  const parts = payload.split(":");
-  if (parts.length !== 4 || parts[0] !== "v1") {
-    throw new Error("invalid vault payload format");
-  }
-  const [, ivB64, ctB64, tagB64] = parts;
-  const iv = Buffer.from(ivB64, "base64");
-  const ct = Buffer.from(ctB64, "base64");
-  const tag = Buffer.from(tagB64, "base64");
-  const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
-}
-async function readVaultSecrets(opts) {
-  const key = `${opts.owner}/${opts.repo}`.toLowerCase();
-  const hit = cache.get(key);
-  if (hit && hit.expiresAt > Date.now()) return hit.secrets;
-  const doFetch = opts.fetchImpl ?? fetch;
-  const res = await doFetch(
-    `${GITHUB_API}/repos/${encodeURIComponent(opts.owner)}/${encodeURIComponent(opts.repo)}/contents/${VAULT_PATH}`,
-    {
-      headers: {
-        Authorization: `Bearer ${opts.githubToken}`,
-        Accept: "application/vnd.github+json",
-        "User-Agent": "kody-pool-serve"
-      }
-    }
-  );
-  if (res.status === 404) {
-    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
-    return {};
-  }
-  if (!res.ok) {
-    throw new Error(`vault read ${res.status} for ${key}: ${(await res.text().catch(() => "")).slice(0, 160)}`);
-  }
-  const body = await res.json();
-  if (!body.content) {
-    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
-    return {};
-  }
-  const ciphertext = Buffer.from(body.content, body.encoding ?? "base64").toString("utf8").trim();
-  const doc = JSON.parse(decryptVault(ciphertext, opts.masterKey));
-  const flat = {};
-  for (const [name, entry] of Object.entries(doc.secrets ?? {})) {
-    if (entry && typeof entry.value === "string") flat[name] = entry.value;
-  }
-  cache.set(key, { secrets: flat, expiresAt: Date.now() + CACHE_TTL_MS });
-  return flat;
-}
-async function readRepoSecret(opts) {
-  const secrets = await readVaultSecrets(opts);
-  const v = secrets[opts.name];
-  return v && v.trim() ? v : null;
-}
-async function readRepoSecrets(opts) {
-  return readVaultSecrets(opts);
-}
-
 // src/scripts/kodyVariables.ts
 import * as fs33 from "fs";
 import * as path32 from "path";
@@ -8667,26 +8566,7 @@ function readKodyVariables(cwd) {
 }
 
 // src/scripts/loadQaContext.ts
-var VAULT_REL_PATH = ".kody/secrets.enc";
 var PROFILE_DIR_REL_PATH = ".kody/profile";
-function readVaultPassword(cwd) {
-  const rawKey = process.env.KODY_MASTER_KEY;
-  if (!rawKey) return "";
-  const vaultPath = path33.join(cwd, VAULT_REL_PATH);
-  if (!fs34.existsSync(vaultPath)) return "";
-  try {
-    const payload = fs34.readFileSync(vaultPath, "utf-8").trim();
-    const doc = JSON.parse(decryptVault(payload, masterKeyBytes(rawKey)));
-    const entry = doc.secrets?.LOGIN_PASSWORD;
-    if (entry && typeof entry.value === "string" && entry.value.length > 0) return entry.value;
-    return "";
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(`[loadQaContext] could not read LOGIN_PASSWORD from vault: ${msg}
-`);
-    return "";
-  }
-}
 function readProfile(cwd) {
   const dir = path33.join(cwd, PROFILE_DIR_REL_PATH);
   if (!fs34.existsSync(dir)) return "";
@@ -8723,7 +8603,7 @@ function composeAuthBlock(authProfile, login, password) {
 var loadQaContext = async (ctx) => {
   const vars = readKodyVariables(ctx.cwd);
   const login = vars.LOGIN_USER ?? "";
-  const password = readVaultPassword(ctx.cwd);
+  const password = process.env.LOGIN_PASSWORD ?? "";
   const authProfile = ctx.args.authProfile;
   ctx.data.qaLogin = login;
   ctx.data.qaProfile = readProfile(ctx.cwd);
@@ -9671,6 +9551,70 @@ function errMsg2(err) {
   return err instanceof Error ? err.message : String(err);
 }
 
+// src/pool/vault.ts
+import { createDecipheriv } from "crypto";
+var GITHUB_API = "https://api.github.com";
+var VAULT_PATH = ".kody/secrets.enc";
+var CACHE_TTL_MS = 6e4;
+var cache = /* @__PURE__ */ new Map();
+function decryptVault(payload, masterKey) {
+  const parts = payload.split(":");
+  if (parts.length !== 4 || parts[0] !== "v1") {
+    throw new Error("invalid vault payload format");
+  }
+  const [, ivB64, ctB64, tagB64] = parts;
+  const iv = Buffer.from(ivB64, "base64");
+  const ct = Buffer.from(ctB64, "base64");
+  const tag = Buffer.from(tagB64, "base64");
+  const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString("utf8");
+}
+async function readVaultSecrets(opts) {
+  const key = `${opts.owner}/${opts.repo}`.toLowerCase();
+  const hit = cache.get(key);
+  if (hit && hit.expiresAt > Date.now()) return hit.secrets;
+  const doFetch = opts.fetchImpl ?? fetch;
+  const res = await doFetch(
+    `${GITHUB_API}/repos/${encodeURIComponent(opts.owner)}/${encodeURIComponent(opts.repo)}/contents/${VAULT_PATH}`,
+    {
+      headers: {
+        Authorization: `Bearer ${opts.githubToken}`,
+        Accept: "application/vnd.github+json",
+        "User-Agent": "kody-pool-serve"
+      }
+    }
+  );
+  if (res.status === 404) {
+    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
+    return {};
+  }
+  if (!res.ok) {
+    throw new Error(`vault read ${res.status} for ${key}: ${(await res.text().catch(() => "")).slice(0, 160)}`);
+  }
+  const body = await res.json();
+  if (!body.content) {
+    cache.set(key, { secrets: {}, expiresAt: Date.now() + CACHE_TTL_MS });
+    return {};
+  }
+  const ciphertext = Buffer.from(body.content, body.encoding ?? "base64").toString("utf8").trim();
+  const doc = JSON.parse(decryptVault(ciphertext, opts.masterKey));
+  const flat = {};
+  for (const [name, entry] of Object.entries(doc.secrets ?? {})) {
+    if (entry && typeof entry.value === "string") flat[name] = entry.value;
+  }
+  cache.set(key, { secrets: flat, expiresAt: Date.now() + CACHE_TTL_MS });
+  return flat;
+}
+async function readRepoSecret(opts) {
+  const secrets = await readVaultSecrets(opts);
+  const v = secrets[opts.name];
+  return v && v.trim() ? v : null;
+}
+async function readRepoSecrets(opts) {
+  return readVaultSecrets(opts);
+}
+
 // src/pool/registry.ts
 var POOL_MIN_VAULT_KEY = "POOL_MIN";
 var POOL_MIN_MAX = 10;
@@ -9800,6 +9744,43 @@ var PoolRegistry = class {
   }
 };
 
+// src/pool/keys.ts
+import { hkdfSync } from "crypto";
+var POOL_API_KEY_INFO = "kody-pool-api:v1";
+var RUNNER_API_KEY_INFO = "kody-runner-api:v1";
+function masterKeyBytes(raw) {
+  const v = raw.trim();
+  if (!v) throw new Error("KODY_MASTER_KEY is empty");
+  if (/^[0-9a-fA-F]+$/.test(v) && v.length === 64) {
+    return Buffer.from(v, "hex");
+  }
+  return Buffer.from(v.replace(/-/g, "+").replace(/_/g, "/"), "base64");
+}
+function deriveKey(master, info, length = 32) {
+  return Buffer.from(hkdfSync("sha256", master, Buffer.alloc(0), info, length)).toString("hex");
+}
+function derivePoolApiKey(master) {
+  return deriveKey(master, POOL_API_KEY_INFO);
+}
+function deriveRunnerApiKey(master) {
+  return deriveKey(master, RUNNER_API_KEY_INFO);
+}
+function bearerOk(headerAuth, xApiKey, expected) {
+  const x = (xApiKey ?? "").trim();
+  if (x && timingEqual(x, expected)) return true;
+  const a = (headerAuth ?? "").trim();
+  if (a.toLowerCase().startsWith("bearer ")) {
+    return timingEqual(a.slice(7).trim(), expected);
+  }
+  return false;
+}
+function timingEqual(a, b) {
+  if (a.length !== b.length) return false;
+  let diff = 0;
+  for (let i = 0; i < a.length; i++) diff |= a.charCodeAt(i) ^ b.charCodeAt(i);
+  return diff === 0;
+}
+
 // src/scripts/poolServe.ts
 var PERF_GUEST = {
   low: { cpu_kind: "shared", cpus: 2, memory_mb: 2048 },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kody-ade/kody-engine",
-  "version": "0.4.123",
+  "version": "0.4.124",
   "description": "kody — autonomous development engine. Single-session Claude Code agent behind a generic executor + declarative executable profiles.",
   "license": "MIT",
   "type": "module",